From c344d100bc1adb217708ec386d736d733413cee9 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Fri, 8 Jan 2010 19:09:37 +0000 Subject: [PATCH] Document impenetrable logic in login secure cookie and redirect handler. fixes #11643 git-svn-id: https://develop.svn.wordpress.org/trunk@12665 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-login.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wp-login.php b/wp-login.php index a20e6ffec2..324b28c88f 100644 --- a/wp-login.php +++ b/wp-login.php @@ -477,6 +477,9 @@ default: $redirect_to = admin_url(); } + // If the user was redirect to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure + // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting + // the admin via http or https. if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) ) $secure_cookie = false;